- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Help to make my apps CIM compliant
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have developped a dashbord relative to firewall metrics.
I need to make my dashboard CIM compliant
Do i need my searches linked to the firewall datamodel with the firewall tstats datamodel (tstats where datamodel=....) or do i just need to create tags and eventtypes following the firewall datamodel ? I understand anything so is someone can d'escrime clearly all the steps for having my apps CIM compliant ?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No. First step to answering your question is understanding what datamodel is. It is a middle layer abstracting the actual data structure from your search.
This way if you want to do a search across your network devices you don't have to know specific technical details about the sources or even in which indexes the details are stored (CIM configuration takes care of that). You're just doing a search on a datamodel. For example
| tstats sum(All_Traffic.bytes) from datamodel=Network_Traffic where All_Traffic.src_ip=172.16.* by All_Traffic.src_ip
will give you amount of traffic per source IP from a specific network. It doesn't care where the actual data comes from - this is the beauty of the datamodel. As long as your sources are properly onboarded and CIM-compliant it doesn't matter if the data comes from Juniper, Palo Alto, Cisco or Fortigate. Datamodel abstracts this from your search.
But in order for this to work properly as I mentioned you must have properly onboarded data - you must have proper addons making sure the data is properly normalized and provides standardized fields (even if the fields are named differently in the original event). This is done by means of field aliases and calculated fields.
So you don't typically use term "CIM-compliance" talking about searching/dashboards. When searching you're not "compliant". You simply use the datamodel. It's the underlying data that must be CIM-compliant so your searches against datamodels work properly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your question is not clear.
If you want to make your ingested data CIM-compliant you should do as @marnall says - create tags, make sure your fields are either CIM-conformant or create calculated fields and aliases to make them CIM-conformant.
But as you're speaking about dashboards - if you want to use datamodels, just do that - search or do tstats over datamodels, not raw data. And use those searches to power your dashboard panels.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To make your app CIM-compliant, you should do the following:
1. Use EventTypes to apply the tags to the events so they end up in the correct data model. E.g. tag "network" and "communicate" to put it in the NetworkTraffic data model.
2. Add field extractions, calculated fields, lookups, etc, to get values for the fields listed in the CIM model. The vladiator app is useful for this purpose: https://splunkbase.splunk.com/app/2968
Ref: https://docs.splunk.com/Documentation/CIM/5.3.2/User/NetworkTraffic
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not sure to understand
when you say "1. Use EventTypes to apply the tags to the events so they end up in the correct data model. E.g. tag "network" and "communicate" to put it in the NetworkTraffic data model."
imagine that my searc is index=main uri="*.php*" OR uri="*.py*"
Do you meant that i have to onboard this in a tag called "network"?
And if i have a field called "ip" in my apps does it mean i have to tag it as "dest_ip" following the Network Traffic datamodel?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No. First step to answering your question is understanding what datamodel is. It is a middle layer abstracting the actual data structure from your search.
This way if you want to do a search across your network devices you don't have to know specific technical details about the sources or even in which indexes the details are stored (CIM configuration takes care of that). You're just doing a search on a datamodel. For example
| tstats sum(All_Traffic.bytes) from datamodel=Network_Traffic where All_Traffic.src_ip=172.16.* by All_Traffic.src_ip
will give you amount of traffic per source IP from a specific network. It doesn't care where the actual data comes from - this is the beauty of the datamodel. As long as your sources are properly onboarded and CIM-compliant it doesn't matter if the data comes from Juniper, Palo Alto, Cisco or Fortigate. Datamodel abstracts this from your search.
But in order for this to work properly as I mentioned you must have properly onboarded data - you must have proper addons making sure the data is properly normalized and provides standardized fields (even if the fields are named differently in the original event). This is done by means of field aliases and calculated fields.
So you don't typically use term "CIM-compliance" talking about searching/dashboards. When searching you're not "compliant". You simply use the datamodel. It's the underlying data that must be CIM-compliant so your searches against datamodels work properly.
3 Ways to Make OpenTelemetry Even Better
What's New in Splunk Cloud Platform 9.2.2406?
Enterprise Security Content Update (ESCU) | New Releases
